MQTT MTLS connection with different CA - ssl

I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message
Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.
Is it mandatory to use the same CA for both client and server certificates in mtls?
Mosquitto.conf
listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true
Running broker using
mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"
Subscribe with a client with a certificate signed by server cert ca [SUCCESS]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key
Subscribe with a client with a certificate signed by other ca [FAILURE]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key
Created certificate using Mosquitto SSL Configuration -MQTT TLS Security

The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.
Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.
So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.

Related

using mosquitto_sub with --insecure

Right now I have to do an initial test of a mqtt broker (ssl).
However right now I don't have the valid truststore certificates, however I would like to test the basic connectivity, ignoring SSL errors regarding hostname verification, certificate validation etc.
Unfortunately I am not successful, even with a broker I know it's working.
What I'm doing:
mosquitto_sub -h the_host -p 8883 -t '#' -v -u myUser -P myPass --insecure -d --capath /etc/ssl/certs
According to the manpage I just use the --capath to identify it's a TLS connection, well knowing that the necessary root certificate is not available here.
What I get is this:
Client mosqsub|11262-csbox sending CONNECT
Error: A TLS error occurred.
Any idea what I'm doing wrong?
Using --insecure just disables the verification of the hostname in the certificate presented by the broker. It does not remove the need to have a copy of the CA certificate that signed the brokers certificate.
So if /etc/ssl/certs doesn't contain a matching CA certificate then the connection will fail.
If needed you should be able to use something like openssl s_client to download the certificate chain directly from the broker, you can then point to that file with the --cafile option instead of the --capath option.

Kafka, why do I need to pass the certificate chain and not only the root ca when testing with kafka-console-producer (or Kafkcat)

I have a Kafka cluster which is configured to be used over ssl on port 9093.
In order for me successfully send data on port 9093 I need to pass the certificate chain (intermediate + root CA) (all these are self signed stuff)
echo "Hello" | kafkacat -P -b localhost:9095 -t my-topic \
-X security.protocol=ssl \
-X ssl.key.location=cert-key.pem \
-X ssl.ca.location=chain.crt
(chain.crt is a file with the rootCA and intermediate cert)
My question is why do I need to issue the full chain and not just the root CA in the ssl.ca.location param ?
ssl.key.location is the client's certificate for authenticating to the broker.
ssl.ca.location is used by the client to verify the broker's certificate.

Mosquitto TLS, works with MQTTfx but not mosquitto_pub (tlsv1 alert unknown ca)

Quite strange issue
I have mosquitto broker working with TLS
It is correctly accessible by an MQTTfx client set up for 'Enable SSL/TLS, TLSv1.2, CA certificate file'
The same ca.crt file is used by a openwrt mosquitto client issuing
# mosquitto_pub -h x.x.x.x -p 8883 --cafile /etc/mosquitto/certs/ca.crt -i 1.1.1.1 -t test -m 123 -d
it returns
Client 1.1.1.1 sending CONNECT
Error: A TLS error occurred.
At the orher end, the broker, shows
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client (null), disconnecting.
What is messing me up is the fact that the MQTTfx client instead is accepted, and it's using the same certificate..!
New connection from y.y.y.y on port 8883.
New client connected from y.y.y.y as 180ce1c04c1944e1964608221efbcf0a (c1, k60).
Sending CONNACK to 180ce1c04c1944e1964608221efbcf0a (0)
Should mean that the certificate is valid and trusted... isn't it?
What's wrong then with the other client using the exact same certificate file ?!?!
...at the end using --insecure option did the job.
Means verification of the server hostname in the server certificate.
Well it works, although using this option in a production environment potentially invalidates the use of encryption.

Mosquitto TLS/SSL SSL3_READ_BYTES: ssl handshake failure, Error: Success and sslv3 alert

I tried following the guide shown by mosquitto but once I launch the mosquitto
mosquitto -c mosquitto.conf
which defines port, location of ca.crt, server.crt, server.key
then I followed similar step using the same CA file, to sign the client key and certificate.
Then launched client
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] -t "hello" -m "hello world"
when I do it like this without key and certificate I get
Error: Success
but when I do it with key and certificate
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] --cert [client.crt path] --key [client1.key path] t "hello" -m "hello world"
I get
Error:Success
On the server side I See the following errors
... routines:SSL3_READ_BYTES: sslv3 alert certificate unknown
... routines:SSL3_READ_BYTES: ssl handshake failure
I ran openssl commands to verify CA approves of both generated certificates, and it did.
It turns out, when entering the detail of the certificate, i mistake the common name section's purpose. After I set it to the ip address of the server, it all worked well
I was getting the same error. I tried to subscribe like this:
mosquitto_sub -h ip_address -p 8883 -t topic --cafile /etc/mosquitto/ca_certificates/ca.crt -d.
Replace ip_addres with your ip address that you wrote when you created certificate. In your question, you wrote localhost. If you replace it with ip address it will be work.

How do I set up TLS on a mosquitto (MQTT) broker?

I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:
https://mosquitto.org/man/mosquitto-tls-7.html
Then I added the following lines to the config file:
listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false
But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker
New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.
I've tried doing the mosquitto_sub the following ways:
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key
And the certificates on the client side were generated based on the first link i mentioned earlier.
Anyone know why this is happening and how I can go about fixing it?
This is the good way to subscribe as you do not require client certificate :
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
It seems that the client fail to verify the server certificate.
You should make sure that :
ca.crt is the same on client and server side
the common name of your server certificate corresponds to its hostname
Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher
hope it could help, else I will be interested to know how you solved this problem
Try --insecure option.
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure